Resolutions, opinions and reports search tool

El tratamiento de los datos necesarios para la realización de las pruebas de los procesos de selección de personal, incluidas los datos de salud de los participantes, tiene como base jurídica el cumplimiento de una misión en interés público y el cumplimiento de obligaciones específicas de las administraciones competentes establecidas por la normativa de función pública. La grabación de las pruebas psicotécnicas requiere, además de su previsión en las correspondientes bases de las convocatorias (con la concreción y determinación de las garantías específicas necesarias), la realización previa de una AIPD. No parece que la base jurídica del consentimiento sea adecuado para legitimar el tratamiento de los datos de los aspirantes a un proceso selectivo con la finalidad descrita, dado que no se puede considerar que en el caso planteado pudiera haber un consentimiento realmente libre, ni la posibilidad de establecer medios alternativos que garantizaran el principio de igualdad que tiene que regir los procedimientos selectivos.

The complainant considered that, by publishing the results of the chess competitions, organised by the FCE, the participants' health data were disseminated and preserved whenever, to participate in the competition, the Passaport Covid-19 had to be exhibited. In this respect, information regarding whether a person is vaccinated or has suffered a disease constitutes health data in accordance with Article 4 of the GDPR. However, in this case, the ECF has argued sufficiently that, on the one hand, in order to comply with the legality in force, it should require the display of Passport Covid-19 to competition participants and, on the other hand, that there were people who displayed an antigen test, PCR or vaccination exemption document. In these circumstances, it cannot be claimed that the publication of the aforementioned acts allowed third parties to relate the persons identified to the acts, to the fact that they had been vaccinated against COVID-19, whenever, there were people who might not be vaccinated, and to have presented a PCR or an antigen test, and others who had a vaccination waiver document. For these reasons, the reported facts should be archived.

Disapproval of the claim of guardianship by right to delete a report and other data from the clinical history on the grounds of the optional person.

The claimant requested the removal of certain records of his clinical history which he considered incorrect. It is necessary to partially estimate the claim, since the entity gave an incomplete response, since it only referred to the deletion of any data that might appear in the clinical history of the applicant, without referring to demonstrations about the alleged falseness/incorrection of these data. The entity is required to request the amendment of the application so that the applicant can provide the proof of the alleged incorrections in the said background.

The complaining party initiated the present rights protection procedure before this Authority as it considered that the requested entity gave it the requested information (clinical course of visits of 12.09.22 and 21.09.22) in a manipulated manner. In this regard, it demanded access to the original annotations made by doctors doctors to the clinical course of the two reference visits. Well, in consultation with this Authority, the Hospital Clinico has stated that the information it gave to the complainant, in response to his request, is the original version of the notes that doctors made in the clinical course, and that this documentation has not been manipulated or modified. In this regard, the content of the Hospital's response was transferred to the requesting party, so that it would submit the allegations or evidence it considered relevant, warning it that, if within 10 days it did not submit any writings, it would be understood that the Hospital had fully complied with its application for access. After this period, the complaining party has argued nothing against considering their right of access satisfied, which is why it should be concluded that the information that the Hospital gave to the complainant, in response to his request, was all that was in their power. That being the case, it is appropriate to reject the complaint, because the entity gave a full response within the legally envisaged deadline, to the specific terms of the application.

The FCF made available to football sports clubs a form through which clubs had to identify members with a federal license who were positive of Covid-19 and the federated persons with whom they had been close contact. They also had to report the start date of symptoms and their vaccination state. In this regard, the FCF has argued that the collection of data was carried out in compliance with the Action Plan for Sports Deconfinement of the Government of Catalonia, within which the FCF drew up its Protocol to minimize COVID-19 infections. That being the case, it should be noted that Resolution SLT/3652/2021 of 7 December, which was in force at the time of the reported facts, referred to the content of the action plan for sports deconfinement in anything that did not contradict it. In relation to the above, it must be made on the basis that, knowing which people were positive from COVID-19, the date of symptom presentation, and their vaccination state, was information necessary for the adoption of decisions relating to the organisation of the sports competition. In the light of the above, it should be concluded that the reported processing was disabled by Article 6.1c) GDPR, with the exceptions provided for in Article 9.2g) and i), in connection with the current public health regulations and the prevention of COVID-19 infection.

The lack of a sufficient legal basis to enable the processing of workers' personal data in an electoral procedure by electronic voting prevents a response to the questions raised, since it would be necessary to keep to the specific provisions of legal empowerment and possible regulatory deployment, in order to assess the specific aspects relating to compliance with data protection regulations.

It resolves to admonish the ICS as being responsible for the infringement of the principle of confidentiality, since nursing staff would have accessed different clinical histories in an unjustified manner, and it resolves to archive the facts relating to certain accesses that are considered justified. It is also proposed that the entity take disciplinary action against the person responsible for improper access.

Undue access to the HC3 of the complainant is not credited. The filing of the complaint is resolved because the complainant has accredited that the data referring to the complainant's HC3 was extracted from an opinion submitted to them by the INS.

A private center communicated the result of an antigen test to the Health Department and this one, provided the said information to the educational center where the complainant provided his services. In this regard, Article 23 of Law 2/2021 of 29 March, on urgent measures for prevention, containment and coordination to deal with the health crisis caused by Covid-19 obliges establishments that carry out COVID-19 diagnostic tests to submit, on a daily basis, the results of the tests they carry out to the health authority and, in turn, Article 8.4 of Decree Law 41/2020, on extraordinary measures in the field of education to deal with the consequences of Covid-19, determines that the Health Department must communicate to the directors of educational centres, the health data corresponding to the results of the diagnostic tests. This being the case, it is appropriate to file the facts indicted since the communications concerned were carried out under Article 6.1 of the GDPR, in compliance with a legal obligation (in the case of the private laboratory), and in the exercise of public powers (in the case of the Ministry of Health). It should also be noted that, despite the notification of health data, the exceptions provided for in Article 9(2) and (i) of the GDPR would apply, which would allow the lifting of the ban on Article 9(1) of the GDPR.